@hellpig/anarchy-tracking 1.6.0

package/legal/PRIVACY.md

@@ -0,0 +1,52 @@
+# Privacy Notice — @hellpig/anarchy-tracking
+
+**Effective date:** TBD until market release
+
+**Controller:** Sergei Panfilov — Contact: TBD until market release
+
+**Scope / Identification.** This notice applies to the **open-source project** **@hellpig/anarchy-tracking** (hosted on or mirrored to **public code hosting platform(s)**). We do **not** operate a consumer service through this repository.
+
+**CPRA (California):** we **do not sell or share** personal information for cross-context behavioral advertising and we do **not** process **sensitive personal information** in this repository context.
+
+## 1. Repository Interactions
+
+If you open issues, pull requests, or discussions, the content you submit (including your profile/handle and attachments) becomes **public** on the code-hosting platform(s) where the repository is published and is processed under the applicable platform’s privacy policy. We may process this **public** information to operate, maintain, and improve the project.
+Copies of public content may also appear in mirrors, forks, caches, archival copies, package registries, or on physical media distributed by others; we do not control those third-party copies, and requests regarding them should be directed to the respective distributor or platform.
+
+**Legal basis:** our **legitimate interests** in running the project.
+
+**Retention:** issue/PR/discussion history is retained as part of the **public project record**. Edits/deletions are handled via the platform’s features; historical records (e.g., git history) may persist.
+
+## 2. Communications
+
+If you email **TBD until market release**, we process your **email address**, **message content**, and any information you provide to respond.
+
+**Legal basis:** our **legitimate interests** in responding to inquiries (or your **consent**, where applicable).
+
+**Retention:** **24 months** from the date of our **last interaction in the support thread** (or ticket closure), then deletion or **irreversible anonymization**, unless longer retention is required by law or to establish, exercise, or defend **legal claims**.
+
+## 3. Processors & Transfers
+
+We may use service providers (e.g., email or CI hosting) as **processors**, bound by data-processing terms and our instructions. Where personal data is transferred outside your jurisdiction, we rely on recognized transfer mechanisms (e.g., **Standard Contractual Clauses**) where required by law.
+
+## 4. Your Rights
+
+Where applicable, you may request **access**, **rectification**, **erasure**, **restriction**, **objection**, **portability**, and **withdrawal of consent** (for processing based on consent) at **TBD until market release**. You may also contact your local supervisory authority (e.g., the Dutch **Autoriteit Persoonsgegevens**, Brazil’s **ANPD**, Canada’s **OPC**, Australia’s **OAIC**). We may request reasonable information to **verify your identity** before acting on a request and will respond **within timelines required by applicable law**.
+
+## 5. Security
+
+We apply appropriate technical and organizational measures proportionate to the limited personal data we handle in connection with the repository (e.g., encrypted transport, access controls, limited retention). We do **not** use automated decision-making that produces legal or similarly significant effects.
+
+## 6. Children
+
+This project is intended for developers and is **not** directed to children.
+
+## 7. Changes
+
+We may update this notice by committing changes to the repository (the commit history indicates the effective date of each version). Material updates may also be summarized in the repository’s release notes or documentation.
+
+## Governing Language
+
+This **notice** is drafted in English. Translations may be provided for convenience. In markets where local-language versions are required by law for clarity and fairness, the local-language version controls to the extent required by applicable law; otherwise, the English version controls.
+
+**Contact:** TBD until market release

package/legal/SECURITY.md

@@ -0,0 +1,49 @@
+# Security Policy — @hellpig/anarchy-tracking
+
+**Effective date:** TBD until market release
+
+**Security Contact:** TBD until market release (email preferred for sensitive reports)
+
+## Scope
+
+This policy applies to the open-source project **@hellpig/anarchy-tracking** (the “Project”). It is provided for community coordination only and **does not create service levels (SLAs), warranties, or contractual obligations**.
+It covers the Project’s **source code** and our **officially published release artifacts** (e.g., package registries, release archives, documentation sites, **container images**, or **CDN bundles**) that **we** publish. It does **not** cover third-party repackaging, unofficial builds, downstream products, hosting-platform infrastructure, or **commercial editions**.
+
+**Technical identifiers (optional):** `@hellpig/anarchy-tracking`.
+
+## Reporting (CVD)
+
+- **Report:** email **TBD until market release** with steps to reproduce, affected commit/tag, and impact (if known). If possible, include a short patch or mitigation suggestion.
+- **Public disclosure:** please **do not file public issues with exploit details**; coordinate timing with us to allow a fix or mitigation to be available where reasonably possible.
+
+## Handling & Disclosure
+
+This is a volunteer-maintained Project. We’ll make a **good-faith effort** to review and prioritize reports; **no timelines are promised**. We may publish an advisory if the issue materially impacts users. There is **no bug bounty** unless explicitly announced.
+
+### Research Guidelines (please follow)
+
+- Avoid accessing, modifying, or exfiltrating data you do not own; minimize impact and stop testing if you encounter personal data.
+- Do not perform tests that degrade availability for others (e.g., volumetric DoS).
+- Test only assets we publish through our **official channels** and that are reasonably within this Project’s scope.
+- Vulnerabilities in **third-party platform infrastructure** (e.g., registry/hosting/CDN systems) are **out of scope** unless they result **directly** from our published code or configuration.
+- Comply with applicable law and third-party terms.
+
+## Version Support
+
+We generally address issues on **main** and the **latest stable** release. Older releases may not receive fixes; please upgrade.
+
+## Advisories
+
+If warranted, we will publish a security note or advisory in the repository or adjacent Project materials (e.g., `SECURITY`, `CHANGELOG`, release notes, or the advisories section). There is **no SLA**.
+Copies of public content may also appear in mirrors, forks, caches, or package registries controlled by others; **we do not control those third-party copies**.
+
+## In / Out of Scope
+
+- **In scope:** issues that materially impact the confidentiality, integrity, or availability of the Project’s code or its documented build/update mechanisms, as **we** publish them.
+- **Out of scope:** social engineering, physical attacks, denial-of-service on third-party platforms, vulnerabilities in hosting/store/kernel infrastructure not packaged with the Project, issues in **unofficial forks**, repackaged distributions, or downstream products.
+
+## Safe Harbor
+
+We welcome good-faith research that avoids privacy violations and service disruption. If you comply with this policy and act in good faith, we **do not intend** to pursue legal action **solely** for your security research on this Project. This policy does not authorize unlawful activity or override third-party terms, and it does not protect actions that cause harm or data loss.
+
+**Governing Law:** subject to mandatory law, matters under this policy are handled under **The Netherlands/Amsterdam**.